What could make OpenLDAP ignore access restrictions?

Question

I'm trying to configure a new installation of OpenLDAP (2.6.39) on Arch Linux. I've used the default core packages to install and configure it, however I cannot get it to obey any access control declarations in the settings file.

My /etc/openldap/slapd.conf has just these two declarations that I got from the docs:

access to attr=userPassword
    by self =xw
    by anonymous auth
    by * none

access to *
    by self write
    by users read
    by * none

I've started the service normally and most things seem to work. I can login using pam/nslcd and use phpldapadmin. However the above access restrictions do not seem to be working. From phpldapadmin I was able to see and change the password field for users other that the uid I connected with. The same happens using the command line client (output cropped):

$ ldapsearch -D 'uid=user2,ou=People,dc=example,dc=com' -w 1234 '(uid=user1)'
userPassword:: e1NTSEF9VEZ4K2U1M0JtUEU0NkljdlBPaTBycE41RTh2aXJNeTg=

As you can see I am authenticating using user2 but am able to query the entry for user1 and see the password field.

Other declarations in slapd.conf are clearly in effect, so I'm not editing the wrong file or something like that. I've tried setting draconian rules like access to * by * none as the only rule but am still able to see anything in the directory from any user. I'm placing the access lines at the place in the default configuration where the sample ones were.

How do I make OpenLDAP actually heed the acl's in its config file istead of ignoring them?

Answer 1

Most of the configuration for OpenLDAP (including ACLs) really belongs into the cn=config configuration subtree. It's possible you have something in there that overrides your statements in slapd.conf. See this documentation to read about the modern way to configure your LDAP server.

As a transitional measure, the Arch Linux packages for OpenLDAP come with a slapd.conf file, but if you follow the instructions on their wiki you will find at the end of the setup section they have you automatically convert this to the new format.

Note: With OpenLDAP 2.4 the configuration of slapd.config is deprecated. From this version on all configuration settings are stored in /etc/openldap/slapd.d/.

To store the recent changes in slapd.conf to the new slapd-config configuration settings, we have to delete the old configuration files first:

# rm -rf /etc/openldap/slapd.d/*

Then we generate the new configuration with:

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

This last command has to be run every time you change slapd.conf.

Note especially the line at the end. If you choose to make future config changes in the old format you will need to convert them every time.